HIMSS: Dont fear the auditor
When it comes to HIPAA compliance, even if you’re not where you want to be, that’s no reason to panic, said Christopher Paidhrin, security and compliance officer at Southwest Washington Medical Center in Vancouver, Wash., during a session at the HIMSS virtual conference and expo on June 9.
Auditors understand the barriers to compliance and aren’t looking for airtight hospitals, he said, and “will be very respectful…if you know where you are on the spectrum of compliance.”
Knowing your facility’s place on the spectrum takes some work, however. First, an organization must understand which HIPAA measures apply. Then, they must determine what compliance measures are already in place. Once that assessment is complete, organizations should conduct a gap analysis to see what is still needed.
Documentation is the most important part of the process, Paidhrin said. “The more documentation you have, the more you are on your way," he added. "If you are prepared, you should have no fear of a HIPAA audit.”
Many of the questions after Paidhrin’s presentation focused on resources, on expectations for physicians and small practices, and where to begin. Following are some of these questions and answers.
What were the biggest challenges you faced building compliance at Southwest Memorial?
The first was convincing leadership to fund staged investments for single sign-on, risk assessment and forensics tools. HIPAA audit just wasn’t a priority. The second was building the awareness process among staff. The solution to the first challenge was demonstrating the benefit of using these tools and building a cohesive compliance program. The second requires an ongoing education program to emphasize the tools and policies in place.
What advice do you have for someone who’s new to the position and doesn’t know where to begin?
A good place to start is to look at the requirements themselves. CMS [Centers for Medicare & Medicaid Services] and HHS [Health and Human Services] have provided a matrix that we’ve been using since 2003 when privacy standards came out. There are 42 HIPAA standards that need to be addressed, as well as HITECH requirements. The matrix of requirements will get you going right away and help you document your program. HIMSS also offers a Privacy and Security tool kit.
How much of this process is applicable to physician offices? Are there different requirements for physicians?
The same standards apply to physician offices. There have been different deadlines for compliance, but the HIPAA law applies to all covered entities. Risk is risk, and it doesn’t necessarily change with the size of an organization. Look at the list of risk categories and decide, at higher levels, is this applicable to my practice?
If I’m with a hospital or a provider organization, I just need to do the risk analysis and document it, and I would be ready for the audit?
Readiness is different from being prepared. If you have conducted risk analyses and mapped out compliance, and you’ve documented and identified the gap between where you know you’re in compliance and what you need to do—if you have that much information together, you’re ready for the audit.
How do you monitor employees around their performance of duties with respect to policies?
All of our IT policies are on our hospital intranet as a group. That helps narrow the search for anyone trying to find out where those policies are. Multi-layered security awareness policies are introduced at new employee orientation, and a rule-based access control (RBAC) matrix defines what information an employee has access to. That RBAC feeds into clinical systems so your role defines your level of access.
Layered controls allow me to run audits for appropriated use. Even though I’m not Big Brother, I do have the tools to know where everyone goes.
Are HITECH breach detection and response capabilities included in an audit?
Yes, the HITECH Act requires you to log and report all incidents, and establish a consistent risk assessment for every event that happens in your organization. Those criteria for what is and what is not a breach need to be consistently applied. Reports are relative to significant risk, and we all have to come up with our own assessment of what constitutes significant risk.
Auditors understand the barriers to compliance and aren’t looking for airtight hospitals, he said, and “will be very respectful…if you know where you are on the spectrum of compliance.”
Knowing your facility’s place on the spectrum takes some work, however. First, an organization must understand which HIPAA measures apply. Then, they must determine what compliance measures are already in place. Once that assessment is complete, organizations should conduct a gap analysis to see what is still needed.
Documentation is the most important part of the process, Paidhrin said. “The more documentation you have, the more you are on your way," he added. "If you are prepared, you should have no fear of a HIPAA audit.”
Many of the questions after Paidhrin’s presentation focused on resources, on expectations for physicians and small practices, and where to begin. Following are some of these questions and answers.
What were the biggest challenges you faced building compliance at Southwest Memorial?
The first was convincing leadership to fund staged investments for single sign-on, risk assessment and forensics tools. HIPAA audit just wasn’t a priority. The second was building the awareness process among staff. The solution to the first challenge was demonstrating the benefit of using these tools and building a cohesive compliance program. The second requires an ongoing education program to emphasize the tools and policies in place.
What advice do you have for someone who’s new to the position and doesn’t know where to begin?
A good place to start is to look at the requirements themselves. CMS [Centers for Medicare & Medicaid Services] and HHS [Health and Human Services] have provided a matrix that we’ve been using since 2003 when privacy standards came out. There are 42 HIPAA standards that need to be addressed, as well as HITECH requirements. The matrix of requirements will get you going right away and help you document your program. HIMSS also offers a Privacy and Security tool kit.
How much of this process is applicable to physician offices? Are there different requirements for physicians?
The same standards apply to physician offices. There have been different deadlines for compliance, but the HIPAA law applies to all covered entities. Risk is risk, and it doesn’t necessarily change with the size of an organization. Look at the list of risk categories and decide, at higher levels, is this applicable to my practice?
If I’m with a hospital or a provider organization, I just need to do the risk analysis and document it, and I would be ready for the audit?
Readiness is different from being prepared. If you have conducted risk analyses and mapped out compliance, and you’ve documented and identified the gap between where you know you’re in compliance and what you need to do—if you have that much information together, you’re ready for the audit.
How do you monitor employees around their performance of duties with respect to policies?
All of our IT policies are on our hospital intranet as a group. That helps narrow the search for anyone trying to find out where those policies are. Multi-layered security awareness policies are introduced at new employee orientation, and a rule-based access control (RBAC) matrix defines what information an employee has access to. That RBAC feeds into clinical systems so your role defines your level of access.
Layered controls allow me to run audits for appropriated use. Even though I’m not Big Brother, I do have the tools to know where everyone goes.
Are HITECH breach detection and response capabilities included in an audit?
Yes, the HITECH Act requires you to log and report all incidents, and establish a consistent risk assessment for every event that happens in your organization. Those criteria for what is and what is not a breach need to be consistently applied. Reports are relative to significant risk, and we all have to come up with our own assessment of what constitutes significant risk.